Can I chain together two searches in Splunk Web?


Is it possible to chain together two searches? Basically, need to grab the IP address from my webserver logs (if it received a 503 status code) and match it up with my app server logs (log4j).

This gives me the list of apache calls which resulted in a 503 status code:

index=weblogs status=503

I want to use "clientip" from these matches as the key for a lookup on another index.

Is that possible?


Tags (1)
0 Karma

Splunk Employee
Splunk Employee

You should be able to use subsearches for this. See How subsearches work in the documentation.